Full Report
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet available. Customers are advised to consult and implement the workarounds provided in Palo Alto Networks’ upstream security notifications. [1] https://security.paloaltonetworks.com/
Analysis Summary
# Vulnerability: Buffer Overflow in PAN-OS User-ID Authentication Portal (Siemens RUGGEDCOM APE1808)
## CVE Details
- **CVE ID:** CVE-2026-0300
- **CVSS Score:**
- CVSS v3.1: **10.0 (Critical)**
- CVSS v4.0: **9.3 (Critical)**
- **CWE:** CWE-787 (Out-of-bounds Write)
## Affected Systems
- **Products:**
- Siemens RUGGEDCOM APE1808 (Application hosting platform)
- Palo Alto Networks Virtual NGFW (running on APE1808)
- Palo Alto Networks PA-Series and VM-Series firewalls
- **Versions:** All versions of PAN-OS utilized on RUGGEDCOM APE1808.
- **Configurations:** Systems are only vulnerable if they meet both following criteria:
1. User-ID™ Authentication Portal (Captive Portal) is configured.
2. Interface management profile has "Response Pages" enabled.
## Vulnerability Description
A critical buffer overflow flaw exists in the User-ID™ Authentication Portal service of Palo Alto Networks PAN-OS software. The vulnerability is triggered by the improper handling of specially crafted network packets sent to the service. Because the service runs with high privileges, a successful exploit allows an unauthenticated attacker to achieve out-of-bounds memory writes, leading to arbitrary code execution with **root privileges**.
## Exploitation
- **Status:** Handled as a zero-day/high-risk vulnerability (refer to upstream Palo Alto Networks advisories for active exploitation telemetry).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to system data)
- **Integrity:** High (Ability to modify system configuration and firmware)
- **Availability:** High (Ability to crash the device or disrupt network traffic)
## Remediation
### Patches
- Siemens is currently preparing fix versions.
- Customers are advised to contact Siemens customer support to receive specific patch and update schedules for the RUGGEDCOM APE1808.
### Workarounds
- **Disable User-ID™ Authentication Portal:** If the feature is not strictly required, disable it entirely.
- **Disable Response Pages:** Disable "Response Pages" in the Interface Management Profile on all Layer 3 interfaces facing untrusted or internet-bound traffic.
- **Restrict Access:** Using Security Policies (ACLs), restrict access to the Authentication Portal to only known, trusted internal IP addresses.
- **Selective Enablement:** Keep Response Pages enabled only on internal/trusted zone interfaces where legitimate user browser traffic originates.
## Detection
- **Indicators of Compromise:** Monitor for unexpected crashes of the User-ID service or unauthorized root-level process execution.
- **Detection methods:** Monitor logs for malformed packets targeting the Captive Portal service (typically on ports 6080, 6081, or 6082 depending on configuration).
## References
- **Siemens Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-967325[.]pdf
- **Vendor Advisory:** hxxps://security[.]paloaltonetworks[.]com/
- **Industrial Security Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security